From 36457f82f22dd98125f845c908a342a1bebb3a8f Mon Sep 17 00:00:00 2001
From: Matěj Cepl <mcepl@cepl.eu>
Date: Tue, 28 May 2024 11:31:29 +0200
Subject: sendemail-validate: optionally use patatt to attest patches
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

One weakness of the email based workflow as used on Sourcehut is that
git send-email strips all signatures from commits. patatt is not strict
equivalent of signed commits, but at least there is a cryptographic
attestation that the patch was send by the person it pretends it was
sent.

Optional, default off, switched on by setting

 $ git config --bool sendemail.runPatatt true

Signed-off-by: Matěj Cepl <mcepl@cepl.eu>
Acked-by: Robin Jarry <robin@jarry.cc>
---
 contrib/sendemail-validate | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'contrib')

diff --git a/contrib/sendemail-validate b/contrib/sendemail-validate
index 76031115..efcce648 100755
--- a/contrib/sendemail-validate
+++ b/contrib/sendemail-validate
@@ -27,7 +27,14 @@ validate_cover_letter () {
 validate_patch () {
 	file="$1"
 	# Ensure that the patch applies without conflicts.
-	git am -3 "$file"
+	git am -3 "$file" || return
+	# Sign the patch if patatt is available.
+	case "$(git config --default false --get sendemail.runPatatt)" in
+	TRUE|True|true|yes|YES|Yes|Y|y|on|ON|On|1)
+		command -v patatt >/dev/null 2>&1 || return
+		patatt sign --hook "$file" || return 1
+		;;
+	esac
 }
 
 validate_series () {
-- 
cgit